Tomcat on Debian-based distros – Local Root Privilege Escalation

Posted on Posted in Tomcat

The vulnerability is located in the tomcat init script provided by affected packages, normally installed at /etc/init.d/tomcatN.

The script for tomcat7 contains the following lines:

# Run the script as a daemon
set +e
touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

Local attackers who have gained access to the server in the context of the tomcat user (for example, through a vulnerability in a web application) would be able to replace the log file with a symlink to an arbitrary system file and escalate their privileges to root once Tomcat init script (running as root) re-opens the catalina.out file after a service restart, reboot etc.

Affected versions:

  • Tomcat 8 <= 8.0.36-2
  • Tomcat 7 <= 7.0.70-2
  • Tomcat 6 <= 6.0.45+dfsg-1~deb8u1

Recommended action: Update to the latest tomcat packages provided by your distribution.

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *